English
Home Documentation
Documentation

Data Privacy


Adhere to the principles of data protection

  • For each category of personal data that the application processes, you should identify and document why it is needed. If you can not identify a reason why it is needed, do not process it. Once you have identified the need to process it, do not process it for any other reason.
  • Only process the minimum personal data required for your needs, while also making sure it is adequate for the need identified.
  • Ensure the personal data is accurate, and that mechanisms are in place for it to be updated if it is inaccurate.
  • Only process the personal data for as long as you require it. Once it is no longer required, delete it. Document retention schedules that describe how long each category of personal data will be processed.

Make sure personal data is secure

The security of personal data should be considered alongside the overall security of the application. Ensure you use secure coding techniques that minimise the potential for the application, and the personal data processed by it, to be breached by an attacker. Test the application at all levels, and consider obtaining the services of professional ethical hackers to try and compromise the application. Encrypt personal data wherever it is possible to do so. Ensure appropriate access controls are in place so that only those with a need to access personal data have access to it.

Allow individuals to exercise their rights

Where an application processes the personal data of a data subject, that individual has specific rights bestowed upon them by privacy regulations. In order to fulfil a request by an individual, it is important to document where within the application the personal data is being processed so that the request can be efficiently dealt with.

Data subjects have the right to access their data. You should ensure that mechanisms are in place to provide a copy of the personal information being processed by the application. Data subjects also have the right to request that you transfer their personal data to another organisation or data repository, if such a request is made, you should be able to transfer the data , in a structured, commonly used format. The personal data processed by the application must be accurate and up to date. If it is not, a data subject can request that it is rectified. Ensure there are sufficient mechanisms to allow this to happen.

A data subject may withdraw their consent, or otherwise object to their personal data being processed, and request that it is erased. You should have mechanisms in place to enable the deletion of an individual’s personal data. Alternatively, a data subject may instead request that you stop processing personal data for a given purpose. In this case you do not have to delete the personal data, but you must stop processing it for the purpose identified.

Document where personal data is geographically located and accessed from

Privacy regulations may place restrictions on where personal data can be processed, or they may require appropriate mechanisms to be in place for its transfer outside of a given country or region. If you are processing personal data outside a country or region where the data subject is located, you need to identify the appropriate legal mechanism for transferring data to another country or region. Your customers will need to inform their customers, the end users where data is being processed. It is important you are able to pass this information on to your customers.

Consider if a feature to track data subject consent is required

The organisations who use your application may identify obtaining data subject consent as the appropriate manner in which to make the processing of personal data lawful. Depending on the nature of how data subjects interact with your application, there may be a requirement for you to provide a mechanism to obtain their consent. If so, you need to keep a record of how and when that consent was provided, and also have mechanisms in place to allow for that consent to be removed.

Provide a privacy notice

When customers visit your website to learn about your company or application, you may be collecting personal data about them (such as cookies), and you may process other personal data such as email addresses and telephone numbers. You should inform your customers about how you process their personal data through a privacy notice. This should be provided as a page on your website. A useful resource for creating your privacy notice is provided below: https://ico.org.uk/for-organisations/make-your-own-privacy-notice/

Make sure appropriate contractual terms are in place with your customers

Privacy regulations distinguish between organisations who determine the purposes for which, and the way in which, personal data is processed, called the data controller, and organisations who process personal data on behalf of the data controller, called the data processor. In most cases, it is likely that you will be a data processor, and your customer will be the data controller. You must only process personal data on instruction from the data controller, and a legal document needs to be in place between you and your customers that reflect that. Make sure you have signed such a document, either by using your customers’, or by using one created by you. A useful resource for creating your privacy notice is provided below: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/contracts-and-liabilities-between-controllers-and-processors-multi/what-needs-to-be-included-in-the-contract/

Consider if a feature to track data subject consent is required

The organizations who use your application may identify obtaining data subject consent as the appropriate manner in which to make the processing of personal data lawful. Depending on the nature of how data subjects interact with your application, there may be a requirement for you to provide a mechanism to obtain their consent. If so, you need to keep a record of how and when that consent was provided, and also have mechanisms in place to allow for that consent to be removed.

Provide a privacy notice

When customers visit your website to learn about your company or application, you may be collecting personal data about them (such as cookies), and you may process other personal data such as email addresses and telephone numbers. You should inform your customers about how you process their personal data through a privacy notice. This should be provided as a page on your website. A useful resource for creating your privacy notice is provided below: https://ico.org.uk/for-organisations/make-your-own-privacy-notice/

Make sure appropriate contractual terms are in place with your customers

Privacy regulations distinguish between organisations who determine the purposes for which, and the way in which, personal data is processed, called the data controller, and organisations who process personal data on behalf of the data controller, called the data processor. In most cases, it is likely that you will be a data processor, and your customer will be the data controller. You must only process personal data on instruction from the data controller, and a legal document needs to be in place between you and your customers that reflect that. Make sure you have signed such a document, either by using your customers’, or by using one created by you. A useful resource for creating your privacy notice is provided below: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/contracts-and-liabilities-between-controllers-and-processors-multi/what-needs-to-be-included-in-the-contract/

We use cookies to enhance your experience while on our website, serve personalized content, provide social media features and to optimize our traffic. By continuing to browse the site you are agreeing to our use of cookies. Find out more here. Accept Reject